afc094a7e7120c7240b6b1ea2ba6659e48dbd37f519087e4fd0296f23c9d7ff1

Analysis

max time kernel
120s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa4326c1ce14edbd9eef77add4cb1680N.exe
Size

2.6MB
MD5

aa4326c1ce14edbd9eef77add4cb1680
SHA1

32e67525829050225c6e81e818bbc80f83c30f0e
SHA256

afc094a7e7120c7240b6b1ea2ba6659e48dbd37f519087e4fd0296f23c9d7ff1
SHA512

b1c81efc47580055ce4b988b660826f8bca40ce5f4302b2d4a0641ec4dbe2503617da5c5e7e620ff93b55a3f61daf03a539314b7fbb6fbb13a09145c0fecbb03
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bS:sxX7QnxrloE5dpUptb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	aa4326c1ce14edbd9eef77add4cb1680N.exe

Executes dropped EXE 2 IoCs

pid	Process
4636	ecdevopti.exe
3040	xdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesHR\\xdobsys.exe"	aa4326c1ce14edbd9eef77add4cb1680N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxHY\\bodaec.exe"	aa4326c1ce14edbd9eef77add4cb1680N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa4326c1ce14edbd9eef77add4cb1680N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1420	aa4326c1ce14edbd9eef77add4cb1680N.exe
1420	aa4326c1ce14edbd9eef77add4cb1680N.exe
1420	aa4326c1ce14edbd9eef77add4cb1680N.exe
1420	aa4326c1ce14edbd9eef77add4cb1680N.exe
4636	ecdevopti.exe
4636	ecdevopti.exe
3040	xdobsys.exe
3040	xdobsys.exe
4636	ecdevopti.exe
4636	ecdevopti.exe
3040	xdobsys.exe
3040	xdobsys.exe
4636	ecdevopti.exe
4636	ecdevopti.exe
3040	xdobsys.exe
3040	xdobsys.exe
4636	ecdevopti.exe
4636	ecdevopti.exe
3040	xdobsys.exe
3040	xdobsys.exe
4636	ecdevopti.exe
4636	ecdevopti.exe
3040	xdobsys.exe
3040	xdobsys.exe
4636	ecdevopti.exe
4636	ecdevopti.exe
3040	xdobsys.exe
3040	xdobsys.exe
4636	ecdevopti.exe
4636	ecdevopti.exe
3040	xdobsys.exe
3040	xdobsys.exe
4636	ecdevopti.exe
4636	ecdevopti.exe
3040	xdobsys.exe
3040	xdobsys.exe
4636	ecdevopti.exe
4636	ecdevopti.exe
3040	xdobsys.exe
3040	xdobsys.exe
4636	ecdevopti.exe
4636	ecdevopti.exe
3040	xdobsys.exe
3040	xdobsys.exe
4636	ecdevopti.exe
4636	ecdevopti.exe
3040	xdobsys.exe
3040	xdobsys.exe
4636	ecdevopti.exe
4636	ecdevopti.exe
3040	xdobsys.exe
3040	xdobsys.exe
4636	ecdevopti.exe
4636	ecdevopti.exe
3040	xdobsys.exe
3040	xdobsys.exe
4636	ecdevopti.exe
4636	ecdevopti.exe
3040	xdobsys.exe
3040	xdobsys.exe
4636	ecdevopti.exe
4636	ecdevopti.exe
3040	xdobsys.exe
3040	xdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 4636	1420	aa4326c1ce14edbd9eef77add4cb1680N.exe	86
PID 1420 wrote to memory of 4636	1420	aa4326c1ce14edbd9eef77add4cb1680N.exe	86
PID 1420 wrote to memory of 4636	1420	aa4326c1ce14edbd9eef77add4cb1680N.exe	86
PID 1420 wrote to memory of 3040	1420	aa4326c1ce14edbd9eef77add4cb1680N.exe	87
PID 1420 wrote to memory of 3040	1420	aa4326c1ce14edbd9eef77add4cb1680N.exe	87
PID 1420 wrote to memory of 3040	1420	aa4326c1ce14edbd9eef77add4cb1680N.exe	87

C:\Users\Admin\AppData\Local\Temp\aa4326c1ce14edbd9eef77add4cb1680N.exe
"C:\Users\Admin\AppData\Local\Temp\aa4326c1ce14edbd9eef77add4cb1680N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4636
- C:\FilesHR\xdobsys.exe
  C:\FilesHR\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesHR\xdobsys.exe

Filesize
2.6MB

MD5
9b41bc8af138694e0452e1931627c7bd

SHA1
76b0be480768219bbbbfd7c9ae8985eaf320ec99

SHA256
e953354aef7c9c956c8283dd13600e0053575789197b7a11abaf839410e023ed

SHA512
b9bd25e988a6e48f5a3e1222a2537c8d748f972b1205ad1a7401ca09def6897d72cab10d5a12f740aa05580167df763fb59a9d1e217c3961a2b6eccb5e216fd1

Download Submit
C:\GalaxHY\bodaec.exe

Filesize
1.9MB

MD5
d432d4a2c306f2d43ad0406c2981e26a

SHA1
129f452a3eb569d14fb1d342c11b99756d10c423

SHA256
d7877293a7c7847f2ac991978d8fa8dbd48d3cb51f30abc966018960fdad970f

SHA512
abf480691c83682c3e7c092c36a260bdb7085ed42e2a35dffcc21482edbc133d4346bb9fedc76f927e9167ba538088fe437a179fcb40967e7b7cfcba8a8584b4

Download Submit
C:\GalaxHY\bodaec.exe

Filesize
2.6MB

MD5
8983d395921c6f2541b3d89a8f79b5cf

SHA1
0dd618b662b25ac986d17c5b5ee8e66e4b8c38f1

SHA256
e3c6d37be9e68eba78f05c09aebbb22768941c89cebeb082204e043450d7080a

SHA512
01d409a7b549b4a72de22dc2a8010b4a61c18b11c6ff92ae1b01d01b5af4dde793f56c83b9c109270b8e51edc742fbf6e187e96c7716a520b92dc7f649eb6ff7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
6c71b80b467bb9ca2e0b4d3ed244c6f5

SHA1
acf646bbf6d366f83b44fe508d2524f3b0b46a18

SHA256
b04ce25c1714e1976a81cf62f29d766e35e1a3834607491eef5231a79ff44033

SHA512
0c2bb56fa4dd1e6c03196603f0d2996939495ae2e32d092b762be529b1567d617bc4e3a96ab134ceaaaddf0172aaa4571e4f487a8efee02d3748f1816d7e287e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
7d14e312d954e286bd97e6cd17799e0e

SHA1
c7b0a9edaa094b9e62413e8ffd999edb4c9f8b39

SHA256
7bdfbab1a8e6dcee91d942e48c059d3b7567519b77bafae1921c205227120f0d

SHA512
d565661701570437ff150ce37367b43deb22bdfa73bd4b69f1e86b1c65fa89a57334ff8697cff021928d1eebd1398d5ddefa47ee7125a725b71a481a222f4e16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
2.6MB

MD5
ba23fb1baa7b502eb4f61822a6ef3f6f

SHA1
98517c6894841d4b264b8ae1538327beeb982fb3

SHA256
7c29924fcb4a1070ef2e46b9cdeb59a96df9f41f2a7271f2f80892d3adeb22e8

SHA512
80a1e7828c39abb758ed9d5adb766a61e08abf7328a38a663cc6ed165f7262ebc320560be450a4bc022e0fea55f4834073c89656dbcdc43e234f129b63402745

Download Submit